kapp icon indicating copy to clipboard operation
kapp copied to clipboard

Published 20 hours ago verified publisher icon carvel-dev

info: Resources: Falling back to checking each namespace separately (much slower)

Open ploef opened this issue 4 years ago • 13 comments

Hi,

I'm testing the "kapp app-group deploy ... " command and getting the warning:

"info: Resources: Falling back to checking each namespace separately (much slower)"

What can I do to make this warning disappear?

Kind regards, Peter

ploef avatar Nov 03 '21 10:11 ploef

@ploef it's just a warning that it's going to take a slower path -- nothing wrong with that specifically. would you mind sharing your rbac setup and what is the scope you are wanting to have kapp operate in (as in is it deploying resources to single namespace, multiple namespaces, namespace+cluster)?

cppforlife avatar Nov 04 '21 01:11 cppforlife

Same warning/info here, simply trying to deploy resources to a single NS. :)

$ kustomize build ... > kapp.yml
$ kapp deploy -a app -f kapp.yml
Target cluster '--%<--'

08:01:08PM: info: Resources: Falling back to checking each namespace separately (much slower)

[...]

ciis0 avatar Mar 30 '22 18:03 ciis0

https://github.com/vmware-tanzu/carvel-kapp/blob/6bca22dd864f60f1d36b9b499d0c5226adf3d07d/pkg/kapp/resources/resources.go#L551 seems to have been added here: https://github.com/vmware-tanzu/carvel-kapp/pull/327/files#diff-4bf6c9b48383fc3b53344634e9527785c014d0aa647140a49c63d76bc1b22918R549

ciis0 avatar Mar 30 '22 18:03 ciis0

https://gist.github.com/ciis0/e032866b877ea0341fa5c49a328fb0ba

ciis0 avatar Mar 30 '22 18:03 ciis0

Hi! I have the same issue with a deployment to a single namespace. Anyone knows how to avoid this?

semoac avatar May 20 '22 15:05 semoac

@semoac im assuming your RBAC allows to list namespaces? does it need to?

cppforlife avatar Jun 02 '22 20:06 cppforlife

@semoac im assuming your RBAC allows to list namespaces? does it need to?

It does. Right now yes but we are working to reimplement the "reason why" as an Operator.

semoac avatar Jun 02 '22 20:06 semoac

Hi,

im assuming your RBAC allows to list namespaces?

in our test-environment our Jenkins has one, single SA for all namespaces.

does it need to?

We have a large number of (dynamic) namespaces, maintaining one credential per NS would be quite cumbersome.

ciis0 avatar Jun 07 '22 14:06 ciis0

@semoac if you are deploying stuff to a single namespace, you may be able to make use of "--dangerous-scope-to-fallback-allowed-namespaces" flag to limit kapp to only look at the namespace that is provided via -n.

in our test-environment our Jenkins has one, single SA for all namespaces.

@ciis0 if you have a SA for all namespaces, does it not have cluster level priveleges to list certain resources? (if you can share gist of Role/ClusterRole, it would be helpful).

cppforlife avatar Jun 09 '22 00:06 cppforlife

Hi,

our cluster admin set that up, I'll check.

ciis0 avatar Jun 09 '22 05:06 ciis0

Hi,

we haven't used the cluster setup in a while, but I am also facing this issue when running kapp with my personal account which has access to large number of namespaces.

I am only deploying to a single namespace, maybe a flag or default to scan the current NS from kubeconfig could be added?

ciis0 avatar Jun 29 '22 09:06 ciis0

Hi @ciis0 Just like @cppforlife has mentioned, if you are deploying stuff to a single namespace, you may be able to make use of --dangerous-scope-to-fallback-allowed-namespaces flag to limit kapp to only look at the namespace that is provided via -n.

praveenrewar avatar Jul 05 '22 18:07 praveenrewar

missed that, the warning does not appear with that, thanks for the hint!

ciis0 avatar Jul 05 '22 22:07 ciis0